CN115423045A - System log detection method and system based on GAN network and meta learning - Google Patents

System log detection method and system based on GAN network and meta learning Download PDF

Info

Publication number
CN115423045A
CN115423045A CN202211245771.8A CN202211245771A CN115423045A CN 115423045 A CN115423045 A CN 115423045A CN 202211245771 A CN202211245771 A CN 202211245771A CN 115423045 A CN115423045 A CN 115423045A
Authority
CN
China
Prior art keywords
model
log
meta
network
learning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211245771.8A
Other languages
Chinese (zh)
Inventor
韩蒙
夏海生
洪榛
温震宇
张龙源
戴强
林昶廷
王滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Juntong Intelligent Technology Co ltd
Original Assignee
Zhejiang Juntong Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Juntong Intelligent Technology Co ltd filed Critical Zhejiang Juntong Intelligent Technology Co ltd
Priority to CN202211245771.8A priority Critical patent/CN115423045A/en
Publication of CN115423045A publication Critical patent/CN115423045A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a system log detection method based on a GAN network and meta-learning, which utilizes a generated countermeasure network to generate a balanced data set, inputs the generated balanced data set into a meta-learning model for training and learning and outputs log classification, effectively solves the technical problems of inaccurate system log detection when log data is unbalanced and the amount of log data is too small, and improves the accuracy of system log detection. In addition, the invention also discloses a system log detection system based on the GAN network and the meta-learning, which constructs a generation confrontation network model and a hyper-parametric meta-network model, has good detection effect when the input system log data is unbalanced or the log data amount is too small, and has higher detection accuracy.

Description

System log detection method and system based on GAN network and meta learning
Technical Field
The invention relates to the technical field of computer system security detection, in particular to a system log detection method and system based on a GAN network and meta learning.
Background
With the rapid development of shared and open internet, the network attack mode also presents the development trend of automation and diversification, and the network security faces unprecedented challenges. The network security threat mainly comprises a system internal vulnerability threat, a misoperation threat and an external attack threat, any network system can output log files for recording the system running state and executing operation, and the log files can provide help in various aspects such as intrusion detection, fault handling, time correlation, accident handling, after-the-fact research and the like. The application of log analysis to online monitoring and threat detection is one of the hot spots of research in the field of computer security.
With the gradual evolution of the network intrusion attack from independent, simple and direct easy exposure into organized, targeted and long-lasting APT attacks and the gradual system development and application of large-scale development, distributed deployment, high parallelism and redundant operation, the traditional detection method is difficult to manually select features due to the fact that the traditional detection method is trapped in massive log data and high-concealment attack means, and meanwhile, the deep learning which is well developed provides a new idea for solving the problems.
The deep learning technology is vigorously developed under the background of a big data era. Such as convolutional neural networks focusing on learning sample spatial features, cyclic neural networks mining to find time series features. The deep learning model does not need to manually extract features under the condition of proper parameters, the model can complete feature extraction and detection, and the workload is greatly reduced while the accuracy is ensured. The accuracy of the deep learning detection model is mainly influenced by three aspects: the model structure is to be adapted to the data structure; the model requires sufficient balanced data sets to train; the model needs to set the appropriate hyper-parameters. When the data volume is small, a model with high accuracy cannot be trained by using a traditional neural network, and some researches propose a solution method, such as transfer learning by using a pre-trained model. However, in some scenarios, the lack of raw data that can be provided for pre-training may not be the same as the data used for pre-training, and the samples of a single class may be too few, for example, rare system anomalies or attacks. Unbalanced data sets tend to create problems of model prediction bias. For the classification problem, if the number of samples of two classes is very different, the accuracy of model training can be very serious. As a simple example, we can classify the Dos attack and SQL injection attack, where the Dos attack has 990 logs and the SQL injection attack has 10 logs, and at this time, the model can obtain 99% recognition rate by only predicting all input samples as Dos attack, but such a classifier has no value and cannot predict SQL injection attack.
In the existing log anomaly detection model based on deep learning technology development, due to the problems of unbalance of a training data set and too small data quantity, the prediction accuracy of the trained model is often low, and even logs with few classes of data samples cannot be detected. In the current solution, the undersampling method randomly selects samples from a large number of class samples, the number of which is equivalent to that of a small number of class samples, and then forms a new data set with the small number of class samples. The number of samples after undersampling depends on the number of original small-sized samples, and when the number of large-sized samples and small-sized samples is very different and the number of small-sized samples is small, the large-sized samples are likely to lose some important information. The oversampling is simply to extract one sample from a small number of classes for many times, so that the number of positive and negative samples is close to that of the samples, and then the learning is performed. However, the expansion of a few classes of samples can increase the complexity of model training, and the direct copying of the samples can make the rules learned by the learner over-materialized and easily over-fitted.
Disclosure of Invention
In order to solve the defects of the prior art, the invention aims to provide a system log detection method and system based on a GAN network and meta learning, which solve the technical problem that the system log cannot be accurately detected when the log data is unbalanced and the amount of the log data is too small, and improve the accuracy of system log detection.
In order to realize the purpose, the invention adopts the following technical scheme:
a system log detection method based on a GAN network and meta learning comprises the following steps:
s1, acquiring log text data and system hardware data of a system, and constructing to obtain standard multi-sequence data;
s2, constructing a generated confrontation network model, taking the multi-sequence data as input of the generated confrontation network model, performing mutual game by using the generated model and the discrimination model of the generated confrontation network model, updating a loss function and a cross entropy of the generated confrontation network model based on back propagation, acquiring the generated confrontation network model with optimal parameters, and outputting a balanced log training data set;
s3, introducing a hyper-parametric meta-network as a meta-learner in meta-learning, wherein the network uses the current network weight and the total loss function of each step to generate a learning rate parameter and a weight attenuation coefficient, so that each internal cycle iteration in the meta-learning training process can adapt to a given task;
s4, taking the generation confrontation network model of the optimal parameters as a basic meta learner for meta-learning, and taking the hyper-parameter meta-network as a meta-learner to construct a log detection meta-learning model;
and S5, inputting the balanced log training data set into a log detection meta-learning model for carrying out classification model training, and outputting the classification of the log.
Further, in the method for detecting the system log based on the GAN network and the meta learning, step S1 includes:
acquiring system log text data from a main log text sequence of a system, extracting a log template sequence number based on a log analyzer, and acquiring a log data sequence with the size of N x 1;
acquiring system hardware sequence data with the size of N x N, wherein the hardware sequence data comprises index information of each system hardware and corresponding acquisition time, and N is the number of indexes acquired by the system hardware;
and matching the log data sequence with the hardware sequence data according to a time dimension to obtain standard multi-sequence data with the size of N (1 + N), wherein each piece of system log data corresponds to one piece of system hardware sequence data.
Further, in the method for detecting the system log based on the GAN network and the meta learning, step S2 includes:
s21, inputting the multi-sequence data into a generation model to generate a false log sample set;
s22, respectively inputting the false log sample set and the true log sample set into a discrimination model, and discriminating whether the false log sample set is a true sample or a false sample by the discrimination model;
s23, in the process of distinguishing the distinguishing model, continuously updating parameters of the distinguishing model by a loss function in the distinguishing model until the distinguishing model can judge whether the false log sample set is a real event or not, finishing the training of the distinguishing model, distinguishing the false log sample set generated by the generating model by the trained distinguishing model, and inputting a distinguishing result into the generator model by the distinguishing model;
s24, continuously updating parameters of the generated model by a loss function in the generated model, and optimizing a false log sample set generated by the generated model;
s25, respectively inputting a false log sample set and a true log sample set generated by the generated model into a discrimination model for discrimination, and when the discrimination model cannot discriminate whether the input false log sample set is the false log sample set generated by the generator model or the true log sample set, finishing training of the generated model and continuing training the discrimination model;
and S26, when the set cycle training times are reached, balancing the generated model and the discrimination model to obtain a mature generated model, and finishing training.
Further, in the system log detection method based on the GAN network and the meta learning, step S203 includes:
continuously updating the parameters of the discriminant model based on the loss function in the discriminant model of
Figure BDA0003886081450000041
Wherein, theta is the initial weight, m is the number of samples, x i For the ith true log sample, Z i For the ith false log sample, D (x) i ) Denotes x i Probability of log being judged as true, G (Z) i ) Representing the generated log sample, D (G (Z) i ) Represents the probability that the generated log sample is judged as a true log, logD (x) i ) Probability that a true log sample will be judged to be true data for the discriminant model, log (1-D (G (Z) i ) ) is the probability that the discrimination model determines a false log sample generated by the generative model as false data.
Further, step S204 in the system log detection method based on GAN network and meta learning includes:
continuously updating parameters of the generative model based on a loss function in the generative model of
Figure BDA0003886081450000042
Maximizing the loss function in the discriminant model and minimizing the loss function in the generated model, wherein the optimization function for generating the confrontation network model is represented as:
min G max D V(D,G)=[E[logD(x i )]+E[log(1-D(G(z i )))]。
wherein, E [ logD (x) i )]Refers to the expectation of the probability that the discrimination model will discriminate the true log sample from the true data, E [ log (1-D (G (Z) i )))]Refers to the expectation of the probability that the discrimination model determines the false log samples generated by the generative model as false data.
Further, the step of obtaining the generated confrontation network model with optimal parameters in the system log detection method based on the GAN network and the meta learning comprises:
inputting the multi-sequence data into a generation model to generate a false log sample set;
respectively inputting the false log sample set and the true log sample set into a discrimination model to obtain the generation distribution of the generation model for generating the false log sample set;
generating a loss function and cross entropy of the confrontation network model based on back propagation updating, and updating the model parameters of each layer in a back mode until the optimal parameters for generating the confrontation network model are obtained, wherein the cross entropy is the cross entropy of the sample distribution of the true log sample set and the generation distribution of the generated false log sample set;
the cross entropy H is calculated as:
Figure BDA0003886081450000051
wherein p is i Sample distribution for a true log sample set, q i The generated distribution of the sample set of the false logs of (1).
Further, step S3 in the system log detection method based on GAN network and meta learning includes:
inputting a balanced log training data set into a meta-learning network for pre-training, giving k subtasks in the pre-training tasks, and dividing the data set of each subtask into a training set and a test set;
training the training sets in the k subtasks respectively to obtain model parameters of the respective subtasks; testing the model parameters of the self subtasks by using the test set in each subtask, and calculating the loss function l of the predicted value and the real label in each subtask k
Obtaining a loss function of the meta-learning network based on the loss function lk of each subtask
Figure BDA0003886081450000052
Comprises the following steps:
Figure BDA0003886081450000053
wherein D is i Represents the probability that the generated log in the ith training task is judged to be true, T i Represents the ith training task, l h A loss function representing the h-th training task, l 1 ...l k As a loss function for each subtask.
Further, step S3 in the system log detection method based on GAN network and meta learning includes:
setting the parameters of the subtasks with the best model parameters in the k subtasks as initial parameters of a hyperparameter meta-network, setting the initial parameters as initial weights theta of the network, performing model training on a balanced log training data set based on the initial parameters and a loss function of the meta-learning network, performing self-adaptation on the training tasks by fixed inner ring updating times, and updating as follows:
Figure BDA0003886081450000061
wherein, theta i+1 Is the weight of step i +1, θ i Controlling the self-adaptive process by updating the superparameters in the equation, wherein the superparameters are a learning rate parameter alpha and a regularization parameter beta, and lambda is a regularization coefficient;
and generating the optimal hyper-parameter through model training.
Further, step S3 in the system log detection method based on the GAN network and meta learning further includes:
the hyper-parameter generation network adopts a 3-layer MLP structure activated by RELU, takes the mean value of the gradient and weight of each layer as input, firstly generates output, learning rate alpha and regularization parameter beta item by item, and then copies the parameters to respective parameter theta i Of (c) is measured.
A system log detection system based on GAN network and meta learning, the system comprising:
the acquisition module is used for acquiring log text data and system hardware data of the system and constructing and obtaining standard multi-sequence data;
the generation countermeasure network module is used for constructing a generation countermeasure network model, taking the multi-sequence data as the input of the generation countermeasure network model, conducting mutual game by using the generation model and the discrimination model of the generation countermeasure network model, updating the loss function and the cross entropy of the generation countermeasure network model based on back propagation, obtaining the generation countermeasure network model with optimal parameters, and outputting a balanced log training data set;
the hyper-parameter meta-network module is used for introducing a hyper-parameter meta-network as a meta-learner in meta-learning, and the network uses the current network weight and the total loss function of each step to generate a learning rate parameter and a weight attenuation coefficient, so that each internal cycle iteration can adapt to a given task in the meta-learning training process;
the log detection meta-learning model module is used for taking the generation confrontation network model of the optimal parameters as a basic meta-learner for meta-learning and taking the hyper-parameter meta-network as a meta-learner to construct a log detection meta-learning model;
and the classification module is used for inputting the balanced log training data set into the log detection meta-learning model to perform classification model training and outputting the classification of the log.
Compared with the prior art, the system log detection method and system based on the GAN network and the meta learning provided by the invention have the following beneficial effects: according to the method, the balanced data set is generated by generating the confrontation network, and the generated balanced data set is input into the meta-learning model for training and learning, so that the technical problems of unbalanced log data and too small log data volume in the prior art are effectively solved, and the accuracy of system log detection is improved; solving the deviation problem generated by the training and prediction of the log anomaly detection model by utilizing a generated countermeasure network; in solving the problem of deviation generated by log anomaly detection model training prediction, the problems of model overfitting and information loss are effectively solved; the technical problem of inaccurate model prediction caused by small log data amount is solved by using the meta-learning model.
Drawings
Fig. 1 is a schematic flowchart of a system log detection method based on GAN network and meta learning according to an embodiment of the present invention;
fig. 2 is a schematic flowchart illustrating a specific step of step S1 of a system log detection method based on GAN network and meta learning according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a training method for generating a confrontation network model according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a specific step of step S3 of a system log detection method based on GAN network and meta learning according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a system log detection system based on a GAN network and meta learning in an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to the specific embodiments shown in the drawings, which are not intended to limit the present invention, and structural, methodological, or functional changes made by those skilled in the art according to the specific embodiments are included in the scope of the present invention.
The method comprises the steps of generating a false log sample set by using a generating model in a generation countermeasure network (GAN), inputting the generated false log sample set and a real log sample set into a discrimination model, judging whether the sample is the real log sample set or the false log sample set generated by the generation model through the discrimination model, generating the model for generating a false sample which is very similar to an actual sample, generating a real log to deceive the discrimination model as much as possible, distinguishing the false log sample set and the real log sample set generated by the generation model through the discrimination model as much as possible, mutually promoting the generation model and the discrimination model through continuous mutual game until the two reach a stable and balanced state, and outputting a balanced log data set by the generation model. Inputting the generated balanced log data set into a trainer in a meta-learning neural network for training, randomly extracting n subtasks in the training tasks, respectively training model parameters aiming at the subtasks, and updating the parameters by using a gradient descent method, thereby finding the optimal hyper-parameter setting. The learners in the meta-learning model are trained by the trained trainers, and the learners can better train specific tasks by the aid of priori knowledge of the trainers. The trained learner has a good detection effect on the logs with only a few sample types.
In one embodiment of the present invention as shown in fig. 1, the present invention provides a system log detection method based on GAN network and meta learning, the method comprising the steps of:
s1, acquiring log text data and system hardware data of a system, and constructing to obtain standard multi-sequence data;
s2, constructing a generated confrontation network model, taking the multi-sequence data as input of the generated confrontation network model, performing mutual game by using the generated model and the discrimination model of the generated confrontation network model, updating a loss function and a cross entropy of the generated confrontation network model based on back propagation, acquiring the generated confrontation network model with optimal parameters, and outputting a balanced log training data set;
s3, introducing a hyper-parametric meta-network as a meta-learner in meta-learning, wherein the network uses the current network weight and the total loss function of each step to generate a learning rate parameter and a weight attenuation coefficient, so that each internal loop iteration in the meta-learning training process can adapt to a given task;
s4, taking the generation confrontation network model of the optimal parameters as a basic meta learner of meta-learning, and taking the hyper-parametric meta-network as a meta-learner to construct a log detection meta-learning model;
and S5, inputting the balanced log training data set into a log detection meta-learning model for carrying out classification model training, and outputting the classification of the log.
It should be noted that the hyper-parametric meta network is a self-adaptive hyper-parametric meta learning neural network, the hyper-parameters refer to parameters set before the learning process is started, and the performance and effect of the neural network can be improved by setting appropriate hyper-parameters.
According to the method and the device, the balanced data set is generated by generating the countermeasure network, the generated balanced data set is input into the meta-learning model for training and learning, and log classification is output, so that the technical problems that the system log detection is inaccurate when the log data is unbalanced and the log data volume is too small are effectively solved, and the accuracy of the system log detection is improved.
As shown in fig. 2, as an alternative implementation manner, the steps of obtaining log text data of a system and system hardware data, and constructing to obtain standard multi-sequence data, that is, step S1 includes:
s11, obtaining system log text data from a main log text sequence of the system, extracting a log template serial number based on a log analyzer, and obtaining a log data sequence with the size of N x 1;
s12, acquiring system hardware sequence data with the size of N x N according to the frequency of 1/S, wherein the hardware sequence data comprise index information of each system hardware and corresponding acquisition time, and N is the number of indexes acquired by the system hardware;
and S13, matching the system log text data and the system hardware data according to a time dimension, namely matching log data sequences with the size of N x 1 with hardware sequence data with the size of N x N into standard multi-sequence data with the size of N x (1 + N) according to a time sequence, wherein each piece of system log data corresponds to one piece of system hardware sequence data.
It should be noted that, optionally, the hardware sequence information may include information such as a CPU, a Random Access Memory (RAM), a Buffer (Buffer), and a hard Disk (Disk) of the system. In this embodiment, the number of the system hardware acquisition indexes is 4, and the acquired system hardware sequence information includes 4 pieces of index information of a CPU, an RAM, a cache, and a hard disk of the system, and corresponding time.
Under the implementation mode, the log data sequence and the hardware sequence data are matched according to the time dimension, and standard multi-sequence data are established, so that the data are more ordered and convenient to call.
Optionally, in order to eliminate the influence of the dimension on the result, the hardware data is normalized to obtain normalized system hardware data
Figure BDA0003886081450000101
Figure BDA0003886081450000102
Wherein (X) hw ) As hardware data, max (X) hw ) And min (X) hw ) Are the maximum and minimum values in the system hardware data, respectively.
By step S2: the method comprises the steps of constructing a generated confrontation network model, taking multi-sequence data as input of the generated confrontation network model, conducting mutual game by using the generated model and a discrimination model of the generated confrontation network model, updating a loss function and a cross entropy of the generated confrontation network model based on back propagation, obtaining the generated confrontation network model with optimal parameters, and outputting a balanced log training data set.
The generation countermeasure network comprises a generation model and a discriminant model. The generative model is used to generate false samples (i.e., samples that are not truly present) that are similar to the actual data, and the false samples are used to make a false decision by the discriminant model, which is to be determined for a sample as to whether it is from the actual data set or from a false sample generated by the generative model. On the basis, the generative model and the discriminant model are mutually promoted through continuous mutual game until the generative model and the discriminant model reach a stable and balanced state, and the generative model can be used for generating samples which are very similar to real data. In other words, by generating a data distribution that opposes learning of normal data by the network, the resulting data generated or reconstructed by the generative model is considered normal data.
As shown in fig. 3, as an alternative implementation, the training method for generating the countermeasure network model in step S2 includes:
s21, inputting the multi-sequence data into a generation model to generate a false log sample set;
s22, respectively inputting the false log sample set and the true log sample set into a discrimination model, and discriminating whether the false log sample set is a true sample or a false sample by the discrimination model;
s23, in the process of distinguishing by the distinguishing model, continuously updating parameters of the distinguishing model by a loss function in the distinguishing model until the distinguishing model can judge whether the false log sample set is a real event or not, finishing the training of the distinguishing model, training the generator model, distinguishing the false log sample set generated by the generator model by the trained distinguishing model, and inputting a distinguishing result into the generator model by the distinguishing model;
s24, continuously updating parameters of the generated model by a loss function in the generated model, and optimizing a false log sample set generated by the generated model;
s25, respectively inputting a false log sample set and a true log sample set generated by the generated model into a discrimination model for discrimination, and when the discrimination model cannot discriminate whether the input false log sample set is the false log sample set generated by the generator model or the true log sample set, finishing training of the generated model and continuing training the discrimination model;
and S26, when the set cycle training times are reached, balancing the generated model and the discrimination model to obtain a mature generated model, and finishing training.
Specifically, it is assumed that the multi-sequence data input into the generation model obeys a priori distribution pi (z), the probability distribution of the output data of the generation model is p (x), that is, the generation model outputs a pseudo log sample with training set characteristics obeying p (x) distribution, and the generation model trains the mapping relation between the priori distribution pi (z) of the input data and the probability distribution p (x) of the training set. Inputting the true log sample set and the false log sample set generated by the generation model into a discrimination model for discrimination, outputting the probability D (x) that the false log sample set is true by the discrimination model, requiring the discrimination model to judge whether the false log sample set is a true sample or a false sample as far as possible, and simultaneously requiring the false log sample generated by the generation model to be closer to the true log sample. The mathematical representation of the discriminant model is y = f (x), and may also be represented as a conditional probability distribution p (y | x). When the samples in the false log sample set are input, the discrimination model outputs a classification label y. The discriminant model learns the mapping relation between the false log sample x and the output category label. That is, the purpose of learning is to increase the probability of the discrimination model outputting the classification label y as much as possible under the condition of the false log sample x.
In the implementation mode, the generated model and the discriminant model are mutually promoted through continuous mutual game, so that a false log sample set generated by the generated model is closer to a real log sample set.
As an alternative implementation, the step of obtaining an optimization function for generating the confrontation network model includes: continuously updating the parameters of the discrimination model based on the loss function in the discrimination model, wherein the loss function in the discrimination model is
Figure BDA0003886081450000121
Wherein, theta is an initial weight, m is the number of samples, x i For the ith true log sample, Z i For the ith false log sample, D (x) i ) Represents x i Probability of log being judged as true, G (Z) i ) Representing the generated log sample, D (G (Z) i ) Log D (x) represents the probability that the generated log sample is judged as a true log i ) Probability that a true log sample will be judged to be true data for the discriminant model, log (1-D (G (Z) i ) ) is the probability that the discrimination model determines the false log sample generated by the generative model as false data. The higher the accuracy that the discriminant model wishes to determine, the better, so the discriminant model needs to maximize log D (x) i )+log(1-D(G(Z i )));
Continuously updating parameters of the generative model based on a loss function in the generative model, wherein the loss function in the generative model is
Figure BDA0003886081450000122
Generative models it is desirable that the discriminant model determine the false log samples as low as possible, so the generative model needs to minimize log (1-D (G (Z) i )))。
Thus, the optimization function that generates the antagonistic network model is represented as:
min G max D V(D,G)=[E[logD(x i )]+E[log(1-D(G(z i )))]。
wherein, E [ logD (x) i )]Refers to the expectation of the probability that the discrimination model will discriminate the true log sample from the true data,
E[log(1-D(G(Z i )))]refers to the expectation of the probability that the discrimination model determines the false log samples generated by the generative model as false data.
In the implementation mode, the generated model and the discrimination model are mutually promoted in a continuous game mode, when the discrimination model cannot discriminate a result, namely the discrimination accuracy of the discrimination model is 50%, the generated model and the discrimination model reach dynamic balance and do not update parameters any more, and at the moment, a false log sample set generated by the generated model is closest to a real log sample set.
As an alternative implementation, the step of obtaining the generated confrontation network model with optimal parameters includes:
inputting the multi-sequence data into a generation model to generate a false log sample set;
respectively inputting the false log sample set and the true log sample set into a discrimination model to obtain the generation distribution of the false log sample set generated by the generation model;
generating a loss function and a cross entropy of the confrontation network model based on back propagation updating, and updating the model parameters of each layer in a back direction until the optimal parameters for generating the confrontation network model are obtained, wherein the cross entropy is the cross entropy of the sample distribution of the true log sample set and the generation distribution of the generated false log sample set;
the cross entropy H is calculated as:
Figure BDA0003886081450000131
wherein p is i Sample distribution for a true log sample set, q i The generated distribution of the sample set of the false logs of (1).
In the implementation mode, the generation of the confrontation network model starts from the output layer of the model, and the gradient of the model is solved layer by layer from back to front by using the chain rule of function derivation, so that the repeated derivation step is omitted, and the calculation amount in the training process of generating the confrontation network model is reduced. And the generation countermeasure network model optimizes the model parameters by using the cross entropy of the sample distribution of the true log sample set and the generation distribution of the generated false log sample set, so that the difference between the generated sample and the true distribution is reduced.
As shown in fig. 4, as an alternative implementation, step S3 includes:
s31, inputting a balanced log training data set into a meta-learning network for pre-training, giving k subtasks in the pre-training task, and dividing the data set of each subtask into a training set and a test set;
s32, training the training sets in the k subtasks respectively to obtain model parameters of the subtasks; testing the model parameters of the self subtasks by using the test set in each subtask, and calculating the loss function l of the predicted value and the real label in each subtask k
S33, loss function l based on each subtask k Obtaining the loss function of the meta-learning network
Figure BDA0003886081450000141
Comprises the following steps:
Figure BDA0003886081450000142
wherein D is i Represents the probability that the generated log in the ith training task is judged to be true, T i Represents the ith training task, l h Loss function representing the h-th training task, l 1 …l k As a loss function for each subtask.
It should be noted that the data set of the training set and the test set is obtained from the input balanced log training data set, the training set is used for training the meta-learning network, and the test set is used for testing the trained meta-learning network.
The loss function of the meta-learning network can be obtained through the pre-training of the meta-learning network
Figure BDA0003886081450000143
I.e. the sum of the loss functions of all subtasks, the loss function of the meta-learning network is used to update the parameters of each subtask.
As an optional implementation manner, step S3 further includes:
s34, setting the parameters of the subtask with the best model parameters in the k subtasks as initial parameters of a hyperparameter meta-network, setting the initial parameters as initial weights theta of the network, performing model training on a balanced log training data set based on the initial parameters and a loss function of the meta-learning network, performing self-adaptation on the training task by fixed inner-loop updating times, and updating as follows:
Figure BDA0003886081450000151
where λ is a regularization coefficient to reduce the risk of model overfitting, θ i+1 Is the weight of step i +1, θ i And controlling the self-adaptive process by updating the super parameters in the equation, namely the learning rate parameter alpha and the regularization parameter beta for the weight value of the ith step, wherein beta = 1-alpha lambda.
And S35, generating the optimal hyper-parameter through model training.
Wherein, the initial weight θ of the network is the parameter with the best performance in the k subtasks obtained in the pre-training process.
In the implementation mode, the hyper-parameter meta-network can self-adapt to different training tasks by updating the hyper-parameters in the equation, so that the hyper-parameter meta-network can adapt to different tasks.
As an optional implementation manner, step S3 further includes:
the hyper-parameter generation network adopts a 3-layer multi-layer perceptron (MLP) structure activated by a modified linear unit (RELU), takes the mean value of the gradient and the weight of each layer as input, firstly generates the output, the learning rate alpha and the regularization parameter beta item by item, and then copies the parameters to the respective parameters theta i Of (c) is calculated.
By the hyper-parameter generation network, hyper-parameters can be generated in a self-adaptive manner, and parameters are updated by a gradient descent method, so that the optimal hyper-parameter setting applied to different training tasks is found.
The invention also provides a system log detection system based on the GAN network and the meta-learning, which solves the technical problems that log data are unbalanced and the log data volume is too small and the system log detection accuracy is improved by introducing the generation countermeasure network and the hyper-parameter meta-learning network.
As shown in fig. 5, the present invention provides a system log detection system based on GAN network and meta learning, which comprises:
the acquiring module 51 is configured to acquire log text data of a system and system hardware data, and construct and obtain standard multi-sequence data;
the generation countermeasure network module 52 is used for constructing a generation countermeasure network model, taking the multi-sequence data as the input of the generation countermeasure network model, playing a mutual game by using the generation model and the discrimination model of the generation countermeasure network model, updating the loss function and the cross entropy of the generation countermeasure network model based on back propagation, acquiring the generation countermeasure network model with optimal parameters, and outputting a balanced log training data set;
a hyper-parametric meta-network module 53, configured to introduce a hyper-parametric meta-network as a meta-learner in meta-learning, where the hyper-parametric meta-network generates a learning rate parameter and a weight attenuation coefficient by using a current network weight and a total loss function of each step, so that each internal loop iteration can adapt to a given task in a meta-learning training process;
a log detection meta-learning model module 54, configured to use the generation confrontation network model of the optimal parameters as a basic meta-learner for meta-learning, and use the hyper-parametric meta-network as a meta-learner to construct a log detection meta-learning model;
and the classification module 55 is configured to input the balanced log training data set to the log detection meta-learning model for performing classification model training, and output the classification of the log.
In the implementation mode, the system log detection system based on the GAN network and the meta learning utilizes the generation countermeasure network module to construct a generation countermeasure network model, and the generation countermeasure network model of optimal parameters is obtained through continuous mutual game of the generation model and the discrimination model in the generation countermeasure network model, so that the technical problem that the log data cannot be accurately detected when the log data are unbalanced is solved; the system log detection system based on the GAN network and the meta-learning introduces the hyper-parametric meta-learning network through the hyper-parametric meta-network module, a log detection meta-learning model module is utilized to construct a log detection meta-learning model, a meta-learner in the log detection meta-learning model is trained to obtain the optimal hyper-parameter setting, and the trained meta-learner is utilized to train the basic meta-learner, so that the basic meta-learner has a good detection effect on logs with only a small number of sample types, the technical problem that the accurate detection cannot be carried out when the log data volume is too small is solved, and the accuracy of system log detection is improved.
In summary, the present application provides a method for detecting system logs based on a GAN network and meta-learning, which generates a balanced data set by using a generated countermeasure network, inputs the generated balanced data set into a meta-learning model for training and learning, and outputs log classifications, thereby effectively solving the technical problems of inaccurate system log detection when log data is unbalanced and the amount of log data is too small, and improving the accuracy of system log detection. In addition, the application also provides a system log detection system based on the GAN network and meta-learning, a generation confrontation network model and a hyper-parametric meta-network model are established, a good detection effect is achieved when input system log data are unbalanced or the amount of log data is too small, and the detection accuracy is high.
Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.

Claims (10)

1. A system log detection method based on a GAN network and meta learning is characterized by comprising the following steps:
s1, acquiring log text data and system hardware data of a system, and constructing to obtain standard multi-sequence data;
s2, constructing a generated confrontation network model, taking the multi-sequence data as input of the generated confrontation network model, performing mutual game by using the generated model and the discrimination model of the generated confrontation network model, updating a loss function and a cross entropy of the generated confrontation network model based on back propagation, acquiring the generated confrontation network model with optimal parameters, and outputting a balanced log training data set;
s3, introducing a hyper-parametric meta-network as a meta-learner in meta-learning, wherein the network uses the current network weight and the total loss function of each step to generate a learning rate parameter and a weight attenuation coefficient, so that each internal loop iteration in the meta-learning training process can adapt to a given task;
s4, taking the generation confrontation network model of the optimal parameters as a basic meta learner of meta-learning, and taking the hyper-parametric meta-network as a meta-learner to construct a log detection meta-learning model;
and S5, inputting the balanced log training data set into the log detection meta-learning model to perform classification model training, and outputting the classification of the log.
2. The GAN network and meta learning based system log detection method of claim 1, wherein the step S1 comprises:
acquiring system log text data from a main log text sequence of a system, extracting a log template serial number based on a log analyzer, and acquiring a log data sequence with the size of N x 1;
acquiring system hardware sequence data with the size of N x N, wherein the hardware sequence data comprises index information of each system hardware and corresponding acquisition time, and N is the number of indexes acquired by the system hardware;
and matching the log data sequence with hardware sequence data according to a time dimension to obtain standard multi-sequence data with the size of N (1 + N), wherein each piece of system log data corresponds to one piece of system hardware sequence data.
3. The GAN network and meta learning based system log detection method of claim 2, wherein the step S2 comprises:
s21, inputting the multi-sequence data into a generation model to generate a false log sample set;
s22, respectively inputting the false log sample set and the true log sample set into a discrimination model, and discriminating whether the false log sample set is a true sample or a false sample by the discrimination model;
s23, in the process of distinguishing the distinguishing model, continuously updating parameters of the distinguishing model by a loss function in the distinguishing model until the distinguishing model can judge whether the false log sample set is a real event or not, finishing the training of the distinguishing model, distinguishing the false log sample set generated by the generating model by the trained distinguishing model, and inputting a distinguishing result into the generator model by the distinguishing model;
s24, continuously updating parameters of the generated model by a loss function in the generated model, and optimizing a false log sample set generated by the generated model;
s25, respectively inputting the false log sample set and the true log sample set generated by the generated model into a discrimination model for discrimination, and when the discrimination model cannot discriminate whether the input false log sample set is the false log sample set or the true log sample set generated by the generator model, ending the training of the generated model, and continuing to train the discrimination model;
and S26, when the set cycle training times are reached, balancing the generated model and the discrimination model to obtain a mature generated model, and finishing training.
4. The GAN network and meta learning based system log detection method of claim 3, wherein the step S23 comprises:
continuously updating the parameters of the discriminant model based on the loss function in the discriminant model of
Figure FDA0003886081440000021
Wherein, theta is an initial weight, m is the number of samples, x i For the ith true log sample, Z i For the ith false log sample, D (x) i ) Represents x i Probability of log being judged as true, G (Z) i ) Represents the generated log sample, D (G (Z) i ) Represents the probability that the generated log sample is judged as a true log, logD (x) i ) Probability that a true log sample will be judged to be true data for the discriminant model, log (1-D (G (Z) i ) ) will be generated as discriminant modelsProbability that a model-generated false log sample is judged as false data.
5. The GAN network and meta learning based system log detection method of claim 4, wherein the step S24 comprises:
continuously updating parameters of the generative model based on a loss function in the generative model of
Figure FDA0003886081440000031
Maximizing the loss function in the discriminant model and minimizing the loss function in the generated model, wherein the optimization function for generating the countermeasure network model is represented as:
min G max D V(D,G)=[E[logD(x i )]+E[log(1-D(G(Z i )))];
wherein, E [ logD (x) i )]The expectation of the probability that the discriminant model judges a true log sample into true data, E [ log (1-D) (G (Z) i )))]The expectation of the probability that the discrimination model judges the false log sample generated by the generative model as false data is pointed.
6. The GAN network and meta learning based system log detection method of claim 5, wherein the step of obtaining the generative confrontation network model with optimal parameters comprises:
inputting the multi-sequence data into a generation model to generate a false log sample set;
respectively inputting the false log sample set and the true log sample set into a discrimination model to obtain the generation distribution of the generation model for generating the false log sample set;
generating a loss function and a cross entropy of the confrontation network model based on back propagation updating, and updating the model parameters of each layer in a back direction until the optimal parameters for generating the confrontation network model are obtained, wherein the cross entropy is the cross entropy of the sample distribution of the true log sample set and the generation distribution of the generated false log sample set;
the cross entropy H is calculated as:
H(p,q)=-∑ i p i logq i
wherein p is i Sample distribution for a true log sample set, q i The distribution of the generated sample set of the false logs.
7. The GAN network and meta learning based system log detection method of claim 6, wherein the step S3 comprises:
inputting a balanced log training data set into a meta-learning network for pre-training, giving k subtasks in the pre-training tasks, and dividing the data set of each subtask into a training set and a test set;
training the training sets in the k subtasks respectively to obtain model parameters of the respective subtasks;
testing the model parameters of the self subtasks by using the test set in each subtask, and calculating the loss function l of the predicted value and the real label in each subtask k
Loss function l based on each subtask k Obtaining the loss function of the meta-learning network
Figure FDA0003886081440000041
Comprises the following steps:
Figure FDA0003886081440000042
wherein D is i Represents the probability that the generated log in the ith training task is judged to be true, T i Represents the ith training task, l h Loss function representing the h-th training task, l 1 …l k As a loss function for each subtask.
8. The GAN network and meta learning based system log detection method of claim 7, wherein the step S3 comprises:
setting the parameters of the subtask with the best model parameters in the k subtasks as initial parameters of a hyper-parametric meta-network, setting the initial parameters as initial weights theta of the network, performing model training on a balanced log training data set based on the initial parameters and a loss function of the meta-learning network, performing self-adaptation on the training task by fixed inner-loop updating times, and updating as follows:
Figure FDA0003886081440000043
wherein, theta i+1 Is the weight of the step i +1, θ i Controlling the self-adaptive process by updating the hyper-parameters in the equation, wherein the hyper-parameters are the learning rate parameter alpha and the regularization parameter beta, and the lambda is a regularization coefficient, and the weight in the ith step is beta = 1-alpha lambda;
and generating the optimal hyper-parameter through model training.
9. The GAN network and meta learning based system log detection method of claim 8, wherein the step S3 further comprises:
the hyper-parameter generation network adopts a 3-layer MLP structure activated by RELU, takes the mean value of the gradient and weight of each layer as input, preferentially generates output, learning rate alpha and regularization parameter beta item by item, and then copies the parameters to respective parameter theta i Of (c) is measured.
10. A system log detection system based on GAN network and meta learning, the system comprising:
the acquisition module is used for acquiring log text data and system hardware data of the system and constructing and obtaining standard multi-sequence data;
the generation countermeasure network module is used for constructing a generation countermeasure network model, taking the multi-sequence data as the input of the generation countermeasure network model, conducting mutual game by using the generation model and the discrimination model of the generation countermeasure network model, updating the loss function and the cross entropy of the generation countermeasure network model based on back propagation, obtaining the generation countermeasure network model with optimal parameters, and outputting a balanced log training data set;
the hyper-parameter meta-network module is used for introducing a hyper-parameter meta-network as a meta-learner in meta-learning, and the network uses the current network weight and the total loss function of each step to generate a learning rate parameter and a weight attenuation coefficient, so that each internal cycle iteration can adapt to a given task in the meta-learning training process;
the log detection meta-learning model module is used for taking the generation confrontation network model of the optimal parameters as a basic meta-learner of meta-learning and taking the hyper-parametric meta-network as a meta-learner to construct a log detection meta-learning model;
and the classification module is used for inputting the balanced log training data set to the log detection meta-learning model for classification model training and outputting the classification of the log.
CN202211245771.8A 2022-10-12 2022-10-12 System log detection method and system based on GAN network and meta learning Pending CN115423045A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211245771.8A CN115423045A (en) 2022-10-12 2022-10-12 System log detection method and system based on GAN network and meta learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211245771.8A CN115423045A (en) 2022-10-12 2022-10-12 System log detection method and system based on GAN network and meta learning

Publications (1)

Publication Number Publication Date
CN115423045A true CN115423045A (en) 2022-12-02

Family

ID=84205404

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211245771.8A Pending CN115423045A (en) 2022-10-12 2022-10-12 System log detection method and system based on GAN network and meta learning

Country Status (1)

Country Link
CN (1) CN115423045A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094824A (en) * 2023-02-07 2023-05-09 电子科技大学 Detection system and method for few sample malicious traffic

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094824A (en) * 2023-02-07 2023-05-09 电子科技大学 Detection system and method for few sample malicious traffic
CN116094824B (en) * 2023-02-07 2024-02-20 电子科技大学 Detection system and method for few sample malicious traffic

Similar Documents

Publication Publication Date Title
CN105975573B (en) A kind of file classification method based on KNN
CN108491874B (en) Image list classification method based on generation type countermeasure network
CN110147745B (en) Video key frame detection method and device
CN108664690A (en) Long-life electron device reliability lifetime estimation method under more stress based on depth belief network
CN112016097B (en) Method for predicting network security vulnerability time to be utilized
Zhao et al. Deep neural network based on android mobile malware detection system using opcode sequences
CN112990082B (en) Detection and identification method of underwater sound pulse signal
CN114374541A (en) Abnormal network flow detector generation method based on reinforcement learning
CN115423045A (en) System log detection method and system based on GAN network and meta learning
Saxena et al. An Examination on Implementation of Deep Fake in Images Through Deep Learning
Blanco et al. Applying cost-sensitive classifiers with reinforcement learning to ids
CN110619216A (en) Malicious software detection method and system for adversarial network
Zhao et al. Suzzer: A vulnerability-guided fuzzer based on deep learning
Wu et al. MFD: Multi-Feature Detection of LLM-Generated Text
CN116739100A (en) Vulnerability detection method of quantum neural network and automatic driving vulnerability detection method
CN113792541B (en) Aspect-level emotion analysis method introducing mutual information regularizer
CN114821322A (en) Small sample remote sensing image classification method and system based on attention mechanism
Ahn et al. Fine tuning pre trained models for robustness under noisy labels
Li et al. Study on the Prediction of Imbalanced Bank Customer Churn Based on Generative Adversarial Network
Yin et al. A Cyber Security Situational Awareness Extraction Method Oriented to Imbalanced Samples
CN110766338A (en) DPOS (distributed data processing) bifurcation prediction model method based on artificial intelligence and EOS (Ethernet over Ethernet) and IO (input/output) of block chain technology
Jiang et al. A Method for Anomaly Detection in Power Time Series Data within Energy Big Data Based on Generative Adversarial Networks
CN117892841B (en) Self-distillation method and system based on progressive association learning
Gaol et al. Software testing model by measuring the level of accuracy fault output using neural network algorithm
Starodubtsev et al. Classifications of Network Traffic Using Long Short-term Memory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination